GitHub Engineering

GitHub EngineeringJan 14, 2026

GitHub Availability Report: December 2025

Why it matters: This report highlights the operational challenges of scaling AI-integrated services and global infrastructure. It provides insights into managing model-backed dependencies, handling cross-cloud network issues, and mitigating traffic spikes to maintain high availability for developer tools.

A Kafka misconfiguration prevented agent session data from reaching the AI Controls page, leading to improved pre-deployment validation.
Copilot Code Review experienced degradation due to model-backed dependency latency, mitigated by bypassing fix suggestions and increasing worker capacity.
Network packet loss between West US runners and an edge site caused GitHub Actions timeouts, resolved by rerouting traffic away from the affected site.
A database migration caused schema drift that blocked Copilot policy updates, resulting in hardened service synchronization and deployment pipelines.
Unauthenticated traffic spikes to search endpoints caused page load failures, addressed through improved limiters and proactive traffic monitoring.

#sre #dist #mlp

Read original

GitHub EngineeringJan 14, 2026

Community-powered security with AI: an open source framework for security research

Why it matters: This framework lowers the barrier for security research by using AI to automate complex workflows like variant analysis. By integrating with CodeQL via MCP, it allows engineers to scale vulnerability detection using natural language, fostering a collaborative, community-driven security model.

GitHub Security Lab released the Taskflow Agent, an open-source agentic framework designed for security research and automation.
The framework leverages the Model Context Protocol (MCP) to interface with existing security tools such as CodeQL.
It allows researchers to encode and scale security knowledge using natural language to perform complex tasks like variant analysis.
The agent is experimental but ready for community use, supporting various AI backends including GitHub Models API.
A provided demo illustrates how to set up the environment in GitHub Codespaces to automate vulnerability detection workflows.

#security #mlp

Read original

GitHub EngineeringJan 13, 2026

What AI is actually good for, according to developers

Why it matters: Understanding how to integrate AI without disrupting 'flow' is crucial for productivity. Effective AI tools should focus on removing toil and providing contextual assistance rather than replacing human judgment or forcing unnatural interaction patterns like constant chat-switching.

AI tools should prioritize maintaining developer flow by integrating directly into editors, terminals, and code review processes.
Natural language chat interfaces can cause cognitive burden due to context-switching; contextual, inline suggestions are often more effective.
Developers prefer AI for automating repetitive tasks like scaffolding and boilerplate while retaining control over logic and architecture.
AI serves different roles based on experience: accelerating senior developers and helping junior developers learn syntax and fundamentals.
Customization of AI tool behavior is essential to prevent AI fatigue and intrusive interruptions during the coding process.

#mlp #culture

Read original

GitHub EngineeringJan 12, 2026

Want better AI outputs? Try context engineering.

Why it matters: Context engineering integrates organizational standards into AI workflows. By providing structured context, engineers ensure AI-generated code adheres to specific architectures, reducing manual corrections and maintaining high-quality standards across the codebase.

Context engineering focuses on providing the right information and format to LLMs rather than just clever phrasing.
Custom instructions allow teams to define global or task-specific rules for coding conventions and naming standards.
Reusable prompt files (.prompts.md) standardize common workflows like code reviews, scaffolding, and test generation.
Custom agents enable specialized AI personas with defined responsibilities, such as security analysis or API design.
Implementing these techniques improves code accuracy and consistency while reducing repetitive manual prompting.

#mlp #culture #security

Read original

GitHub EngineeringJan 10, 2026

Light waves, rising tides, and drifting ships: Game Off 2025 winners

Why it matters: Game Off highlights the power of open-source collaboration in creative engineering. It provides a massive repository of real-world game code for developers to study, while fostering a culture of shipping and peer review within the global developer community.

GitHub's 13th annual Game Off jam challenged developers to build games around the theme 'WAVES,' emphasizing open-source collaboration.
Participants shared full source code for their entries, providing a rich learning resource for game mechanics and engine implementation.
The winning entry, Evaw, demonstrates advanced use of the Godot engine to simulate light and sound wave physics in a platformer.
The competition serves as a community showcase where developers practice shipping products, peer-reviewing code, and experimental game design.
Entries featured diverse technical implementations, including tide-based puzzle logic and complex naval drift physics.

#culture #frontend

Read original

GitHub EngineeringJan 8, 2026

Why AI is pushing developers toward typed languages

Why it matters: As AI-generated code becomes more prevalent, type systems provide a critical safety net by catching the high volume of errors (94%) introduced by LLMs. This shift ensures reliability and maintainability in projects where developers no longer write every line of code manually.

AI-generated code increases the volume of unvetted logic, making type-driven safety nets essential for maintaining software reliability.
A 2025 study found that 94% of LLM-generated compilation errors are type-check failures, which static typing can catch automatically.
TypeScript has overtaken Python and JavaScript as the most used language on GitHub, driven by AI-assisted development and framework defaults.
Type systems serve as a shared contract between developers and AI agents to ensure scaffolding and boilerplate conform to project standards.
Growth in typed languages extends beyond TypeScript to include Luau, Typst, and traditional languages like Java, C++, and C#.

#mlp #frontend #culture

Read original

GitHub EngineeringDec 30, 2025

Agentic AI, MCP, and spec-driven development: Top blog posts of 2025

Why it matters: The shift from AI as autocomplete to autonomous agents marks a major evolution in productivity. Understanding agentic workflows, MCP integration, and spec-driven development is essential for engineers to leverage the next generation of AI-native software engineering.

GitHub Copilot introduced Agent Mode, enabling real-time code iteration and autonomous error correction directly within the IDE.
The new Coding Agent automates the full development lifecycle from issue assignment and repository exploration to pull request creation.
Agent HQ provides a unified ecosystem allowing developers to integrate agents from multiple providers like OpenAI and Anthropic into GitHub.
Model Context Protocol (MCP) support and the GitHub MCP Registry simplify how AI agents interact with external tools and data sources.
Spec-driven development emerged as a key methodology, using the Spec Kit to make structured specifications the center of agentic workflows.
The year featured critical industry reflections, including Git's 20th anniversary and security lessons learned from the Log4Shell breach.

#mlp #security #culture

Read original

GitHub EngineeringDec 29, 2025

Bugs that survive the heat of continuous fuzzing

Why it matters: Continuous fuzzing isn't a 'set and forget' solution. Engineers must actively monitor coverage, instrument dependencies, and supplement automated testing with manual audits to catch logic-based vulnerabilities that automated tools often miss.

Continuous fuzzing through OSS-Fuzz is not a silver bullet and requires active human oversight to maintain coverage and create new fuzzers.
Low fuzzer counts and poor code coverage, such as GStreamer's 19%, leave significant portions of codebases vulnerable to undetected bugs.
External dependencies often lack instrumentation, creating blind spots where fuzzers cannot receive feedback or explore deep execution paths.
Standard fuzzing techniques excel at finding memory corruption but frequently miss complex logic bugs, such as sandbox escapes in Ghostscript.
Enrollment in automated security tools can create a false sense of security if developers stop performing manual audits and monitoring build health.

#security

Read original

GitHub EngineeringDec 26, 2025

WRAP up your backlog with GitHub Copilot coding agent

Why it matters: GitHub Copilot coding agents can significantly reduce technical debt and backlog bloat. By applying the WRAP framework, engineers can delegate repetitive tasks to AI, allowing them to focus on high-level architecture and complex problem-solving.

The WRAP framework (Write, Refine, Atomic, Pair) provides a structured approach to using GitHub Copilot coding agents for backlog management.
Effective issue writing requires treating the agent like a new team member by providing context, descriptive titles, and specific code examples.
Custom instructions at the repository and organization levels help standardize code quality and enforce specific patterns across projects.
Large-scale migrations or features should be decomposed into small, atomic tasks to ensure pull requests remain reviewable and accurate.
The human-agent pairing model leverages human strengths in navigating ambiguity and understanding 'why' while the agent handles execution.

#mlp #culture

Read original

GitHub EngineeringDec 23, 2025

Strengthening supply chain security: Preparing for the next malware campaign

Why it matters: Supply chain attacks like Shai-Hulud exploit trust in package managers to automate credential theft and malware propagation. Understanding these evolving tactics and adopting OIDC-based trusted publishing is critical for protecting organizational secrets and downstream users.

The Shai-Hulud campaign evolved from simple credential theft to sophisticated multi-stage attacks targeting CI/CD environments and self-hosted runners.
Attackers utilize malicious post-install scripts to exfiltrate secrets, including npm tokens and cloud credentials, to enable automated self-replication.
The malware employs environment-aware payloads that change behavior when detecting CI contexts to escalate privileges and bypass detection.
npm is introducing 'staged publishing,' which requires MFA-verified approval before packages go live to prevent unauthorized releases.
Security roadmaps include bulk OIDC onboarding and expanded support for CI providers to replace long-lived secrets with short-lived tokens.
Engineers are advised to use the --ignore-scripts flag during installation and adopt phishing-resistant MFA to mitigate credential-adjacent compromises.

#security #dist

Read original

Page 11 of 15

Prev 1...9 10 11 12 13...15 Next